Classified Ads Phishing – Fake “Payment Received” & Bank Credential Harvesting
This phishing campaign is designed to steal online banking credentials from sellers on classified ad platforms (such as Facebook Marketplace, Jófogás, or Vatera) in Hungary. The scam is presented in three steps, creating an illusion of a legitimate payment holding service.
How it works:
The victim (a seller) receives a message from a potential buyer claiming they have paid for the item. The buyer sends a link to a fake “payment confirmation” page that mimics a trusted escrow or payment protection service.
Step 1 – The Fake Payment Confirmation Page (First Screenshot)
This page claims:
An item (PS4 games) has been paid: 8000 HUF (Hungarian forints)
The buyer’s shipping address (partial, with errors: “agytéti” likely a misspelling of Ágostyán or similar)
The buyer’s name: Adrián Szőke
Instructions: “Vigye fel a pénzt a bankkártyájára” – “Transfer the money to your bank card and send the item”
The page uses Hungarian language and presents itself as a secure intermediary. The seller is told they must click “Megkaptam a fizetést” (I received the payment) to proceed.
Step 2 – Bank Selection Page (Second Screenshot)
After clicking, the victim is taken to a page asking them to select their bank from a list of major Hungarian banks:
CIB BANK
K&H Bank (misspelled as “BESTEÉ” in the screenshot, likely an error or placeholder)
Raiffeisen BANK
Takarékbank (misspelled as “TAKABÉKBANK”)
Gránit Bank (misspelled as “GJÁNIT BANK”)
UniCredit Bank
Step 3 – Fake Bank Login Page (Third Screenshot)
Once a bank is selected (in this case, Raiffeisen), the victim is taken to a fake Raiffeisen login page. This page asks for:
Direkt ID (8-digit online banking identifier)
Password
The page mimics Raiffeisen’s branding and includes references to “RaIPay” (a real Raiffeisen payment service) to appear authentic.
The goal:
The attacker steals the victim’s online banking credentials (Direkt ID and password). With these, they can log in to the victim’s real bank account, transfer funds, or authorize fraudulent payments. There is no actual buyer, no payment of 8000 HUF, and no legitimate escrow service—the entire transaction is fabricated to trick sellers into “claiming” money that doesn’t exist.
Red flags to watch for:
Fake payment intermediary: Legitimate classified ad platforms (like Facebook Marketplace) do not use third-party pages to “hold” payments. Buyers either pay in person or through official platform payment systems.
Grammatical errors and misspellings: The first page contains a misspelled location (“agytéti”), and the second page has multiple bank name misspellings (“BESTEÉ,” “TAKABÉKBANK,” “GJÁNIT BANK”). Official financial pages do not have such errors.
Suspicious URL: All pages are hosted on domains that are not official bank domains nor legitimate classified platform domains.
Request for banking credentials: No legitimate payment process requires a seller to log into their bank account through a link provided by the buyer to receive funds.
Pressure to ship: The first page instructs the seller to ship the item after “receiving” the payment—sellers who fall for this may ship the item before realizing no payment was ever made.
No actual funds transfer: The process involves no real money movement; it’s purely a credential harvesting scheme.
What to do if you encounter this:
Do not click “Megkaptam a fizetést” or any buttons on these pages.
Do not select your bank or enter any login credentials.
If you are selling items online, never click links sent by buyers claiming payment is waiting. Instead, check the official platform (Facebook Marketplace, etc.) for payment confirmation.
If a buyer insists you click a link to “receive payment,” it is a scam. Legitimate buyers pay through official platform mechanisms or in cash upon pickup.
Report the phishing pages to the banks being impersonated and to the classified platform where the scam originated.
Why this scam is effective:
Sellers are eager to complete sales and may not be familiar with how online payment intermediaries work. The promise of already-received funds (8000 HUF) creates a sense of urgency to “claim” the money and ship the item. By using localized Hungarian language and mimicking familiar bank interfaces, the scam successfully lowers suspicion.
Protective measures:
Always complete transactions in person with cash, or use official platform payment systems
Never click links from buyers claiming payment is pending—log in to the platform directly
Never enter bank login credentials on a page you reached via an unsolicited link
Verify the URL carefully: official Hungarian banking domains end in .hu and use proper spelling (e.g., raiffeisen.hu, cib.hu, kh.hu)